From 557a05135eac976f6a89492ea3943593c5b22555 Mon Sep 17 00:00:00 2001
From: Raphael Michel <mail@raphaelmichel.de>
Date: Mon, 28 Aug 2017 09:17:56 +0200
Subject: [PATCH] Allow connect-src to media domain

---
 src/pretix/base/middleware.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/pretix/base/middleware.py b/src/pretix/base/middleware.py
index 2724a0c29..fa0f7385e 100644
--- a/src/pretix/base/middleware.py
+++ b/src/pretix/base/middleware.py
@@ -184,7 +184,7 @@ class SecurityMiddleware(MiddlewareMixin):
             'frame-src': ['{static}', 'https://checkout.stripe.com', 'https://js.stripe.com'],
             'child-src': ['{static}', 'https://checkout.stripe.com', 'https://js.stripe.com'],
             'style-src': ["{static}", "{media}", "'nonce-{nonce}'"],
-            'connect-src': ["{dynamic}", "https://checkout.stripe.com"],
+            'connect-src': ["{dynamic}", "{media}", "https://checkout.stripe.com"],
             'img-src': ["{static}", "{media}", "data:", "https://*.stripe.com"],
             # form-action is not only used to match on form actions, but also on URLs
             # form-actions redirect to. In the context of e.g. payment providers or